Five different security related posts to which I have contributed on dba.stackexchange.com. I did not necessarily provide the accepted answer for these, but felt that the questions posed were interesting enough to warrant a mention.
I just found out that someone (clearly a genius) has decided that the first Friday in July should be DBA Appreciation Day.
In this post I'm going to start going over the Database STIG CAT I vulnerabilities in a little more detail. The first two relate to database initialization parameters and authentication.
A lot of things are possible in the cloud, but not everything. A couple of technologies in particular that might seem common in on premise systems are nearly impossible to deploy in the cloud. The first is the idea of multiple networks. Many systems are deployed around the idea that there is a common, “public” … Continue reading What the Cloud Can’t Do
There are over 60 controls in the DISA Oracle 12c Database Secure Technical Implementation Guide (STIG) that contain the word "audit" or "auditing"...
The simplest way to complete a DISA Secure Technical Implementation Guide (STIG) review is to start at the beginning of the checklist and work through it, one control item at a time. As you read each control, the information will be broken down into several distinct areas: metadata, content, and findings. Each control has metadata … Continue reading How To Complete a STIG Review
FIPS is a four letter word. It is also a source of some confusion when it comes to the Oracle database and DISA STIG compliance, which I will attempt to sort out to the best of my ability in this post.
The code-obfuscation-toolkit allows you to obfuscate the source code of a variety of stored programs, including procedures, functions, package bodies, and type bodies. When wrapping an object, to further obfuscate the original code in the event that it is ever unwrapped, all comments and line breaks can also be removed.
Seriously, I find all the best questions about Oracle security on forums like Oracle Communities and AskTom. Sometimes I need to be careful, though. I have a tendency to jump right to implementation details in my head without always considering all of the ramifications of the original question. Sometimes the answers seem immediately obvious, but it doesn't usually take long before someone offers an observation that makes me sit back and think that maybe my first instinct needs some qualification. Case in point...
I've seen a couple of Oracle Community and AskTom posts over the last year or two about installing anti-virus software on Oracle database servers. Usually it is because someone in security told the sysadmin or the DBA that they had to install some kind of AV software because it was required. Been there; done that. I found out the hard way that doing so was a bad idea...
I was perusing (yes, "perusing") the My Oracle Support Community Database Administration posts recently when I came across this one: "How to hide oracle database account password in a create user sql script". The poster had a problem that every database administrator has had to confront at one time or another: namely, how to embed a … Continue reading How to hide Oracle passwords in a script?
I haven't ever done this before, but this has been the busiest year yet for this blog and I thought I would take a moment to say thank you, and to reflect. I know I'm not one of those flashy sites that posts multiple times per day (how do people have time for that while doing real … Continue reading Best Year Yet
One thing that going over this material again and again over the last few weeks has driven home for me, especially as our customer considers how best to implement their various choices for development frameworks, is just how much of a fairy tale the promises of middle-tier application servers turned out out to be in terms of processing business logic.
My company is going to be on the lookout for a new junior DBA in the near future, and I thought I would try something different in the interview process this time around...
Every once in a while over the years I have been asked, “Why don’t you patch the Java JDK included in an Oracle Home directory?”
What if you have a lot of potential PII data and you need to enforce some additional safeguards on it? How do I make this information actionable, and better yet how do I automate that action as much as possible?
This is the last post in this series, in which I have described configurations for the server wallet, server networking, client networking, and database. If you have completed all of the steps I laid out, then you are ready to test your SSL connection using your smart card. TNS Ping over TCPS First confirm that … Continue reading Database Authentication with a Smart Card – Part 5 (Testing)
In parts one, two, and three of this series I looked at configuring the database server and client software for smart card authentication. In this post I will discuss required updates to the database initialization parameters, how to gather the necessary information to create the externally authenticated database user, and how to create the user. … Continue reading Database Authentication with a Smart Card – Part 4 (Database)
I'm going to post this as a reminder to myself as much as anything else. A couple of times - most recently this week - I've had to apply patches for Oracle APEX into various databases that I work with and received the following error almost as soon as the apxpatch.sql script started to run: … Continue reading APEX Patches and NLS_LENGTH_SEMANTICS
A co-worker of mine recently had a dilemma. He needed to have a scheduler job chain in one schema trigger a second scheduler job chain in another schema when it completed. He had already come up with some ideas on how to accomplish this with a variety of home-grown solutions and he wanted to run … Continue reading AQ Basics
While perusing recent postings on the Ask Tom web site, I chanced across this one, entitled "Frustrated DBA", in which John asks the following question: "Is it just me or does doing the "typical DBA" tasks like installing, patching, backing up, checking backups, monitoring databases, creating users, checking space and other mundane tasks get boring … Continue reading The Frustrated DBA
A filter that allows incoming database connections to be approved or rejected based on the values of their sys_context parameters.
The core of virtually every application that manipulates data is the database. It is vitally important, in both production and development environments, to understand at all times what the database is doing and why. There are a variety of commercial database monitoring solutions available in the market today; most rely on SQL monitoring and monitoring … Continue reading Real-Time Oracle 11g Log File Analysis
A business or organization can only be successful if its critical data is well managed and secure. Every day the news is filled with stories of corporations, financial institutions, and governments whose data systems have been compromised. Tightly configured network architectures which limit the direction and channels through which data flows can greatly reduce the … Continue reading Deploying an Oracle 11gR2 Connection Manager